This isn't all that interesting. There's no exploit as we hope to know it, but rather it's just glorified search via another means. And indeed, Copilot is simply using Microsoft Search (which federates with SPO Search) to find the content to return. Audit logs still exist!<p>The article author also fails to identify that one of the more effective ways of combating this is Sensitivity Labels (yeah, another subscription, but big companies don't care). But correctly states that permission hygiene is the most effective way to do this.<p>> when files and images are shared on Microsoft Teams, SharePoint automatically creates a site for them.<p>And no, that's not how it works. A Microsoft Team already has an SPO site. When a file is uploaded to a Team, it is actually uploaded to SPO. In a 1:1 or 1:Many chat outside of a Team, it is uploaded to the sender's OneDrive account.